Sources

Locally-configured Sources #

Adding a Source configuration #

Locally-configured sources are configured in your config.yaml file under the sources field.

Example config #

concurrency: "8"
logLevel: info
notifiers:
- isEnabled: true
  name: stdout secrets notifications
  sendUnverified: true
  type: NOTIFIER_TYPE_STDOUT
sources:
- connection:
    '@type': type.googleapis.com/sources.Confluence
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account@ourbusiness.com
    endpoint: https://ourbusiness.atlassian.net/wiki
  name: some Confluence data
  scanInterval: 43200s
  type: SOURCE_TYPE_CONFLUENCE
  verify: true
trufflehogAddress: https://gnarly-flying-pancake.c1.prod.trufflehog.org
trufflehogScannerGroup: account 1 - us-west-2
trufflehogScannerToken: thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXX

Artifactory #

Artifactory with Access Token #

It is recommended to generate an access token for a user with read-only permissions. To do so, create a new user in the JFrog Artifactory UI under “Identity and Access.” Leave all roles unchecked and ensure the user is added to the readers group (selected by default). Once created, navigate to the “Access Tokens” tab and generate a token for the newly created user.

sources:
- connection:
    '@type': type.googleapis.com/sources.Artifactory
    accessToken: access_token
    endpoint: https://example.jfrog.io
  name: Artifactory repository artifacts
  scanInterval: 43200s
  type: SOURCE_TYPE_JFROG_ARTIFACTORY
  verify: true

Artifactory with Basic Authentication #

Alternatively, basic authentication can be used.

sources:
- connection:
    '@type': type.googleapis.com/sources.Artifactory
    basicAuth:
      password: secret
      username: username
    endpoint: https://example.jfrog.io
  name: Artifactory repository artifacts
  scanInterval: 43200s
  type: SOURCE_TYPE_JFROG_ARTIFACTORY
  verify: true

password may be one of:

  • Access token
  • Account password
  • API key

BitBucket #

sources:
- connection:
    '@type': type.googleapis.com/sources.Bitbucket
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account
    endpoint: https://bitbucket.ourbusiness.com
  name: some BitBucket git data
  scanInterval: 43200s
  type: SOURCE_TYPE_BITBUCKET
  verify: true

If using basic auth with an App Password, the password must have Read access for both the Account and Repositories selected.

Buildkite #

Your API Access Token must have GraphQL API access enabled along with the following REST API Scopes: Organization Access, Read Artifacts, Read Builds, Read Build Logs, and Read Pipelines.

sources:
- connection:
    '@type': type.googleapis.com/sources.Buildkite
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: Buildkite logs and artifacts
  scanInterval: 43200s
  type: SOURCE_TYPE_BUILDKITE
  verify: true

Confluence #

Basic authentication with an email address for the username and a Confluence cloud token for the password must be configured using basic authentication for Confluence Cloud.

Creating a token on Atlassian Cloud

For on-premise Confluence instances, you can use a username and password with basic authentication, or you can use a personal access token (PAT) with token authentication.

Confluence with basic authentication #

sources:
- connection:
    '@type': type.googleapis.com/sources.Confluence
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account@ourbusiness.com
    endpoint: https://ourbusiness.atlassian.net/wiki
  name: some Confluence data
  scanInterval: 43200s
  type: SOURCE_TYPE_CONFLUENCE
  verify: true

Confluence with personal access token (PAT) #

sources:
- connection:
    '@type': type.googleapis.com/sources.Confluence
    endpoint: https://ourbusiness.atlassian.net/wiki
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: some Confluence data
  scanInterval: 43200s
  type: SOURCE_TYPE_CONFLUENCE
  verify: true

Filesystem #

sources:
- connection:
    '@type': type.googleapis.com/sources.Filesystem
    directories:
    - /home/me/dev
  name: some filesystem data
  scanInterval: 43200s
  type: SOURCE_TYPE_FILESYSTEM
  verify: true

File and Stdin #

Help #


$ trufflehog file --help         
usage: TruffleHog file [<flags>] [<path>]

Scan a file (defaults to standard in)

Flags:
      --help                  Show context-sensitive help (also try --help-long and --help-man).
  -v, --debug                 Enable debug mode.
      --trace                 Enable tracing of code line numbers.
      --json                  Enable JSON output.
      --send-error-telemetry  Turns error telemetry off.
      --quiet                 Only show results.

Args:
  [<path>]  Path of the file to scan

Example #

You will need to obtain credentials to run this. You can get them by creating a scanner group (on your isolated instance go to settings -> scanners) and downloading the config.

Tip: run with --no-update if doing frequent invocations to cut down on startup time by ignoring updates


#  3 different ways you can invoke stdin and file scanner

./trufflehog file --config config.yaml --json /etc/passwd

cat /etc/password | ./trufflehog file --config config.yaml --json

./trufflehog file --config config.yaml --json < /etc/password

When using Docker, you must include the --interactive or -i flag (but not -t or --tty) for Docker to past the stdin to TruffleHog:


docker run --net=host --restart=unless-stopped -v $(pwd)/config.yaml:/tmp/config.yaml -i us-docker.pkg.dev/thog-artifacts/public/scanner:latest file --config=/tmp/config.yaml

Gerrit #

If you omit providing projects then all code projects that the credential can list and access will be scanned.

sources:
- connection:
    '@type': type.googleapis.com/sources.Gerrit
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account
    endpoint: https://gerrit.example.com
  name: Gerrit
  scanInterval: 43200s
  type: SOURCE_TYPE_GERRIT
  verify: true

Git #

The Git source expects a list repository URIs and/or a list of local directories with repositories to scan.

Unauthenticated #

sources:
- connection:
    '@type': type.googleapis.com/sources.Git
    directories:
    - /home/me/dev/vscode
    repositories:
    - https://github.com/dustin-decker/secretsandstuff.git
    unauthenticated: {}
  name: some unauthenticated Git data
  scanInterval: 43200s
  type: SOURCE_TYPE_GIT
  verify: true

Basic Auth #

sources:
- connection:
    '@type': type.googleapis.com/sources.Git
    basicAuth:
      password: clonePassword
      username: cloneUser
    repositories:
    - https://github.com/dustin-decker/secretsandstuff.git
  name: some basic auth Git data
  scanInterval: 43200s
  type: SOURCE_TYPE_GIT
  verify: true

SSH Auth #

sources:
- connection:
    '@type': type.googleapis.com/sources.Git
    repositories:
    - ssh://github.com/dustin-decker/secretsandstuff.git
    sshAuth: {}
  name: some SSH auth Git data
  scanInterval: 43200s
  type: SOURCE_TYPE_GIT
  verify: true

GitHub #

Personal Access Tokens should be created with the followwing scopes: repo, gist, and read:org

sources:
- connection:
    '@type': type.googleapis.com/sources.GitHub
    endpoint: https://github.ourbusiness.com
    includeForks: true
    scanUsers: true
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: some GitHub data
  scanInterval: 43200s
  type: SOURCE_TYPE_GITHUB
  verify: true

GitLab #

Token Auth #

The GitLab token should be created with the read_api scope.

sources:
- connection:
    '@type': type.googleapis.com/sources.GitLab
    endpoint: https://gitlab.ourbusiness.com
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: some GitLab data
  scanInterval: 43200s
  type: SOURCE_TYPE_GITLAB
  verify: true

Basic Auth #

sources:
- connection:
    '@type': type.googleapis.com/sources.GitLab
    basicAuth:
      password: t0ken
      username: svc-user
    endpoint: https://gitlab.ourbusiness.com
  name: some GitLab data
  scanInterval: 43200s
  type: SOURCE_TYPE_GITLAB
  verify: true

Jenkins #

sources:
- connection:
    '@type': type.googleapis.com/sources.Jenkins
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account
    endpoint: https://jenkins.example.com
  name: Jenkins logs and artifacts
  scanInterval: 43200s
  type: SOURCE_TYPE_JENKINS
  verify: true

JIRA #

Basic authentication with an email address for the username and a JIRA cloud token for the password must be configured using basic authentication for JIRA Cloud.

Creating a token on Atlassian Cloud

For on-premise JIRA instances, you can use a username and password with basic authentication, or you can use a personal access token (PAT) with token authentication.

If you omit providing projects then all projects that the credential can list and access will be scanned.

JIRA with basic authentication #

sources:
- connection:
    '@type': type.googleapis.com/sources.JIRA
    basicAuth:
      password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      username: scanner-account@ourbusiness.com
    endpoint: https://ourbusiness.atlassian.net
    projects:
    - ENG
    - ITSYS
  name: some JIRA data
  scanInterval: 43200s
  type: SOURCE_TYPE_JIRA
  verify: true

JIRA with personal access token (PAT) #

sources:
- connection:
    '@type': type.googleapis.com/sources.JIRA
    endpoint: https://ourbusiness.atlassian.net
    projects:
    - ENG
    - ITSYS
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: some JIRA data
  scanInterval: 43200s
  type: SOURCE_TYPE_JIRA
  verify: true

Microsoft Teams #

When configuring the Teams scanner from the UI the Team ID is referencing your Microsoft Teams ID number. This can be found by going into your Teams app in the lefthand pane, click the … button next to the team (not one of the channels, but the team) and click “Get link to team”.

Get Team Link Location

The Team ID will come right after groupId in the link provided. (ex. xxxgroupId=&tenantId=xxx).

Get Teams Team ID

The Teams integration requires the web UI in order to successfully scan sources. (Local config will be made available in the near future with the use of Client Credentials or Oauth2.)

Slack #

sources:
- connection:
    '@type': type.googleapis.com/sources.Slack
    channels:
    - General
    - Random
    endpoint: https://mybusiness.slack.com
    ignoreList:
    - General
    token: XXXXXXXXXXXXXXXXXXXXXXXXXX
  name: some Slack workspace
  scanInterval: 43200s
  type: SOURCE_TYPE_SLACK
  verify: true

Single Workspace App #

If you are able, we recommend using the Slack install from the UI because not only is it much easier, but it also scans faster because it has higher rate limits.

You may create your own single workspace Slack app to utilize with TruffleHog and provide the refresh token in the token field in the example above. Below are the steps to create the app.

  1. Start creating the app here

  2. Give the app a name a choose the workspace you want to Trufflehog to operate on. (You will need seperate apps to utilize a multiple workspaces)

Name your app

  1. Update the “User Token Scopes” section with the following scopes:
  • users:read
  • users:read.email
  • channels:history
  • channels:read
  • groups:history
  • groups:read
  • files:read

Add user permissions

  1. Make sure everything is saved and looks correct, then install your app!

Install your app

  1. If your user does not permissions to install the app it may send a request to your Slack admin asking for them to approve it. If so, it may be a good idea to give them a heads up before you do this :)

Approve the app install

  1. Copy your newly minted token and paste it into the token field from the local configuration file above (TIP: Remove the channels line and values if you want trufflehog to scan all accessible channels.)

Copy token to config
Paste your token into your config

  1. Once you run your local scan, Trufflehog will pick up and scan the configured slack source!

S3 #

If you omit providing buckets then all buckets that the credential can list and access will be scanned.

Example IAM policy:


{
	"Version":"2012-10-17",
	"Statement":[
		{
			"Effect":"Allow",
			"Action":[
				"s3:GetBucketLocation",
				"s3:ListAllMyBuckets",
				"s3:ListBucket",
				"s3:GetObject"
			],
			"Resource":"*"
		}
	]
}

Configuration:

sources:
- connection:
    '@type': type.googleapis.com/sources.S3
    cloudEnvironment: {}
  name: some S3 data
  scanInterval: 43200s
  type: SOURCE_TYPE_S3
  verify: true

S3 with static credentials #

sources:
- connection:
    '@type': type.googleapis.com/sources.S3
    accessKey:
      key: AKIAKEYID
      secret: XXXXXXXXXXXXXXXXXXXXXXXXXX
    buckets:
    - bucket-one
    - bucket-two
  name: some S3 data
  scanInterval: 43200s
  type: SOURCE_TYPE_S3
  verify: true

Last updated on 09-28-2022 #